US6925443B1ExpiredUtility

Method, system and computer program product for assessing information security

92
Assignee: SAFEOPERATIONS INCPriority: Apr 26, 2000Filed: Apr 26, 2000Granted: Aug 2, 2005
Est. expiryApr 26, 2020(expired)· nominal 20-yr term from priority
G06Q 20/202G06Q 20/20H04L 63/1433G06Q 30/0203G06Q 20/204G06Q 20/203G06Q 20/207G06Q 20/201G06Q 50/12G06Q 20/208G06F 21/577
92
PatentIndex Score
417
Cited by
51
References
26
Claims

Abstract

A method, system and computer program product for assessing information security interviews users regarding technical and non-technical issues. In an embodiment, users are interviewed based on areas of expertise. In an embodiment, information security assessments are performed on domains within an enterprise, the results of which are rolled-up to perform an information security assessment across the enterprise. The invention optionally includes application specific questions and vulnerabilities and/or industry specific questions and vulnerabilities. The invention optionally permits users to query a repository of expert knowledge. The invention optionally provides users with working aids. The invention optionally permits users to execute third party testing/diagnostic applications. The invention, optionally combines results of executed third party testing/diagnostic applications with user responses to interview questions, to assess information security. A system in accordance with the invention includes an inference engine, which may include a logic based inference engine, a knowledge based inference engine, and/or an artificial intelligence inference engine. In an embodiment, the invention includes an application specific tailoring tool that allows a user to tailor the system to assess security of information handled by a third party application program.

Claims

exact text as granted — not AI-modified
1. A computer implemented method for assessing information security for a plurality of domains within an enterprise, comprising:
 (1) Querying an administrator to identify an enterprise type;  
 (2) Querying the administrator to define domains within the enterprise;  
 (3) Querying the administrator to identify users and user areas of expertise;  
 (4) Tailoring user questions according to the enterprise type, the domains within the enterprise, and the user areas of expertise;  
 (5) Querying the administrator regarding roll-up options for generating enterprise-wide reports;  
 (6) interviewing a first user group regarding a first domain of an enterprise;  
 (7) assessing information security for the first domain based upon user responses to step (6);  
 (8) interviewing a second user group regarding a second domain of the enterprise;  
 (9) assessing information security for the second domain based upon user responses to step (8); and  
 (10) assessing information security for the enterprise based on administrator selected options.  
 
     
     
       2. The method according to  claim 1 , wherein step 10 comprises the step of assessing information security for the enterprise based upon user responses to steps (6) and (8). 
     
     
       3. The method according to  claim 1 , wherein step 10 comprises the step of assessing information security for the enterprise based upon assessment results of steps (7) and (9). 
     
     
       4. The method according to  claim 1 , wherein step (7) comprises the step of generating a report for the first domain, step (9) comprises the step of generating a report for the second domain, and step (10) comprises the step of assessing information security for the enterprise based upon reports generated for the first and second domains. 
     
     
       5. The method according to  claim 1 , wherein step (6) comprises interviewing the first user group regarding IT and information handling issues. 
     
     
       6. The method according to  claim 1 , wherein step (6) comprises interviewing a plurality of users based on each user's area of expertise, and step (7) comprises assessing information security based on responses from the plurality of users. 
     
     
       7. The method according to  claim 1 , further comprising:
 (11) receiving a query from a user in the first user group and providing information in response to the query.  
 
     
     
       8. The method according to  claim 1 , wherein step (7) comprises the step of assessing information security based on user responses to step (6) and results of step (11). 
     
     
       9. The method according to  claim 1 , further comprising:
 (11) providing working aids through the computer to a user in the first user group.  
 
     
     
       10. The method according to  claim 9 , wherein step (6) comprises the step of providing working aids during step (1). 
     
     
       11. The method according to  claim 9 , wherein step (6) comprises the step of providing working aids with a report. 
     
     
       12. The method according to  claim 11 , wherein step (6) further comprises the step of providing working aids that assist users to understand the report. 
     
     
       13. The method according to  claim 11 , wherein step (6) further comprises the step of providing working aids that assist users to develop solutions. 
     
     
       14. The method according to  claim 1 , wherein the first user group consists of a single users. 
     
     
       15. The method according to  claim 1 , wherein the first user group comprises multiple users. 
     
     
       16. The method according to  claim 1 , wherein the first and second user groups each consist of a single user. 
     
     
       17. The method according to  claim 1 , wherein the first and user groups each comprise multiple users. 
     
     
       18. The method according to  claim 17 , wherein a portion of the first user group comprises a portion of the second user group. 
     
     
       19. A computer implemented method for assessing information security for a plurality of domains within an enterprise, comprising:
 (1) Querying an administrator to identify an enterprise type;  
 (2) Querying the administrator to define domains within the enterprise;  
 (3) Querying the administrator to identify users and user areas of expertise;  
 (4) Tailoring user questions according to the enterprise type, the domains within the enterprise, and the user areas of expertise;  
 (5) Querying the administrator regarding roll-up options for generating enterprise-wide reports;  
 (6) interviewing a first user group regarding a first domain of an enterprise;  
 (7) assessing, in a first computer, information security for the first domain based upon user responses to step (6);  
 (8) interviewing a second user group regarding a second domain of the enterprise;  
 (9) assessing, in a second computer, information security for the second domain based upon user responses to step (8); and  
 (10) assessing information security for the enterprise in a third computer based on administrator selected options.  
 
     
     
       20. The method according to  claim 19 , wherein the first and second computers are the same computer. 
     
     
       21. The method according to  claim 19 , wherein the first and third computers are the same computer. 
     
     
       22. The method according to  claim 19 , wherein the first, second, and third computers are the same computer. 
     
     
       23. The method according to  claim 19 , wherein the first and second computers are separate computers. 
     
     
       24. The method according to  claim 19 , wherein the first and third computers are separate computers. 
     
     
       25. The method according to  claim 19 , wherein the first, second, and third computers are separate computers. 
     
     
       26. A computer program product comprising a computer readable medium having computer readable logic stored thereon that causes a computer system to assess information security for a plurality of domains within an enterprise, said computer readable logic comprising:
 an administrator query function that causes the computer system to query an administrator to identify an enterprise type, to define domains within the enterprise, to identify users and user areas of expertise, and to select roll-up options for generating enterprise-wide reports;  
 a question tailoring function that causes the computer system to tailor user questions according to the enterprise type, the domains within the enterprise, and the user areas of expertise;  
 a user querying function that causes the computer system to interview the users according to the questions tailored for the enterprise type, the domains within the enterprise, and the user areas of expertise; and  
 an assessment function that causes the computer system to assess information security for the domains based upon corresponding user responses, and that causes the computer system to assess information security for the enterprise based upon the administrator selected roll-up options.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.